January 20, 2019 - 235 Shares

When running web application security assessments it is mandatory to evaluate the security stance of the SSL/TLS (HTTPS) implementation and configuration. OWASP has a couple of references the author strongly recommends taking a look at, the “OWASP-CM-001: Testing for SSL-TLS” checks, part of the OWASP Testing Guide v3, and the Transport Layer Protection Cheat Sheet.

There have been several tools to test for SSL and TLS security misconfiguration along the years, but still today, lots of people get the output from all these tools and are not very sure what they need to look at. Apart from the SSL/TLS web application best practices, it is important to also check the security of SSL/TLS at the web platform layer. One such tool is:

The purpose of the TLSSLed tool (named from the idea of your website being TLS/SSL-ed, that is, using “https;//”) is to simplify the output of a couple of commonly used tools, and highlight the most relevant security findings of any target SSL/TLS implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool.

TLSSLed is a Linux shell script inspired on ssl_test.sh by Aung Khant, where a few optimizations have been made to reduce the stress on the target web server (sslscan is run only once and the results are stored on a local file), and some tests have been added and tuned.

The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.

New in version 1.2: Mac OS X support, an initial check to verify if the target service speaks SSL/TLS, a few optimizations, and new tests for TLS v1.1 & v1.2 (CVE-2011-3389 aka BEAST).

New in version 1.1: Certificate public key length, the certificate subject and issuer (CA), as well as the validity period. It also checks the existence of HTTP secure headers, such as Strict-Transport-Security and cookies with and without the “secure” flag set.

January 20, 2019 - 235 Shares

The latest scandal on the block, it seems like a noted Chinese hacker known as Wicked Rose or Withered Rose is involved with the Antivirus startup Anvisoft. The hackers real name is Tan Dailin and he was previously involved in the hacking of some US defence contractors.

Anvisoft even posted on their official Facebook group a simple response to the original article “Yes it’s true”.

Antivirus startup Anvisoft was founded by an infamous Chinese hacker who allegedly cut his teeth exploiting Microsoft Office security holes to hack US defence contractors, it has emerged.

In response to inquiries from The Reg, Anvisoft confirmed via a message from its official Facebook account that the report is accurate. “Yes, it is true,” it simply stated.

Dailin, AKA Wicked Rose or sometime Withered Rose, allegedly led a state-sponsored four-man crew called NCPH – Network Crack Program Hacker. According to VeriSign’s iDefense, NCPH developed a rootkit [PDF] that was used to infiltrate the US defence establishment in 2006. The group is accused of launching Microsoft Office-based attacks for two years before it disbanded in 2008.

Krebs followed various online clues to piece together his tentative conclusion that Dailin, a 28-year-old graduate of Sichuan University of Science and Engineering in Zigong, registered Anvisoft’s domain in 2011, and may still be a key player at the startup.

One of Dailin’s cohorts in NCPH, a hacker nicknamed Rodag, wrote a blog post describing Anvisoft’s Smart Defender as a “security aid from abroad” and praised the technology, Krebs noted.

From Kreb’s research is seems like it could have been Dailin that actually registered the domain for Anvisoft, which would indicate he is a key player in the operation and perhaps even the founder or co-founder.

Even so, the evidence that has been turned up so far is far from conclusive and as well know just because this chap was mixed up in some dubious activity a few years back – doesn’t mean he isn’t ethically sound now. Some of the best ‘whitehat’ security folks have some distinctly grey stains on their hats.

Trademark registration records pinpoint Anvisoft’s genesis in the Chinese city of Chengdu although the company states it is based in Toronto, Canada.

Kreb’s digital detective work, though persuasive, was far from conclusive, which he admits. There is no suggestion of any wrongdoing by Anvisoft.

“Anvisoft may in fact be a legitimate company, with a legitimate product; and for all I know, it is. But until it starts to answer some basic questions about who’s running the company, this firm is going to have a tough time gaining any kind of credibility or market share,” Krebs noted.

Anvisoft’s technology has not been widely reviewed, but that’s not to say it is ineffective or untrustworthy. Against this Trend Micro, alone among mainstream antivirus software, flags up Anvisoft’s Anvi Smart Defender Free setup utility as malign, according to results from VirusTotal.

Western antivirus firms, at least, generally have a policy of not employing former malware writers. Aside for presenting a negative image to potential customers, and sustaining the myth that antivirus firms employ an underground army of virus programmers to ramp up demand for their products, VXers are thought to be ill-suited to life in an antivirus firm.

Not only have they shown themselves to have dubious morals but from a purely practical view the skills required to write a decent antivirus program are not the same as those necessary to construct modern malware.

January 20, 2019 - 235 Shares

HoneyDrive is a pre-configured honeypot system in virtual hard disk drive (VMDK format) with Ubuntu Server 11.10 32-bit edition installed. It currently contains Kippo SSH honeypot. Additionally it includes useful scripts and utilities to analyze and visualize the data it captures. Lastly, other helpful tools like tshark (command-line Wireshark), pdftools, etc. are also present.

In the future more software will be added such as Dionaea malware honeypot and Honeyd.

You can get the latest version (0.1) of HoneyDrive which contains Kippo SSH honeypot and related scripts (kippo-graph, kippo-stats, kippo-sessions, etc). Everything is pre-configured to work.

After downloading the file, you must uncompress it and then you simply have to create a new virtual machine (suggested software: Oracle VM VirtualBox) and select the VMDK drive as its hard disk.

January 20, 2019 - 235 Shares

Hack.me is a FREE, community based project powered by eLearnSecurity. The community allows you to build, host and share vulnerable web application code for educational and research purposes.

It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available without any restriction to any party interested in Web Application Security: students, universities, researchers, penetration testers and web developers.

Features

Upload your own code

Online IDE for PHP & MySQL

Your code hosted in the cloud

FREE!!

Practice webapp security

Isolated enviroment

Online: nothing to download!

Safety

Every time you run a new Hackme the site will initiate a new sandbox for you. You will get isolated access to it so that you will always know that the application is safe for you to use. No other students can add malware or exploits in your sandbox. This ensures 99% safety.

What about the 1%? While the team makes the best effort to moderate every and each new web app uploaded on Hack.me, chances are that something can and will slip through. If you are not 100% comfortable to trust us or the Hackme developer, please just run new Hackmes from a virtual machine or from a non production OS.

We have written about a variety of web apps where you can practice your hack-fu such as:

January 20, 2019 - 235 Shares

Another big source code leak, this time VMWare ESX, software which I’m sure most of the readers here have used at some point (I know I have).

There was a time back in 2006 when VMWare Rootkits seemed like they might be the next big thing, but nothing much ever came out of it.

VMware is playing it down, but I think this is a fairly serious leak – we all know what happens when the bad guys get access to source code – they find lovely new 0day bugs to play with.

VMware has confirmed that the source code for old versions of its ESX technology was leaked by hackers over the weekend – but played down the significance of the spill.

The virtualisation giant said on Sunday that the exposed portions of its hypervisor date back to 2004, and the leak follows the disclosure of VMware source code in April.

“It is possible that more related files will be posted in the future,” Iain Mulholland, VMware’s director of platform security, explained. “We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.”

Mulholland said customers who apply the latest product updates and patches, in addition to following system hardening guidelines, ought to be protected against attacks developed in the wake of the code leak.

“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected,” he said.

A 2MB compressed archive of the software blueprints was uploaded into file-sharing networks and promoted by various tweeters on Sunday. Some of these tweets, posted with the hashtags #Anonymous #AntiSec and #SourcySleazySundays, claimed that the leaked code was the “full VMware ESX Server Kernel”.

Some of the people posting the code were hash-tagging with Anonymous – but there’s been no ‘official’ announcement from any of the Anonymous channels so I doubt it’s really related.

As usual VMWare are saying if you’re using the latest patched version and have applied the ‘hardening measures’ you will be safe. I’d except something nasty to come out of this within the next month or so.

A person going by the name of Stun, who made the source code available, wrote: “It is the VMKernel from between 1998 and 2004, but as we all know, kernels don’t change that much in programs, they get extended or adapted but some core functionality still stays the same.”

The previous VMWare source code leak was accompanied by the publication of the company’s internal emails via Pastebin by someone called Hardcore Charlie. The Anonymous-affiliated hacker claimed the information came from China National Electronics Import and Export (CEIEC), an engineering and electronics company outfit.

VMware said at the time that customers were not necessarily at greater risk as as result of the leak.

Hacktivists, to say nothing of state-sponsored cyber-espionage, have increased the threat of intellectual property theft for high-tech firms. The VMWare case is not unprecedented.

Earlier this year Symantec admitted source code for the 2006-era versions of the following products had been exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. The security biz took the highly unusual step of advising customers of pcAnywhere to suspend use of the older versions of remote control desktop management software pending the release of a patch, which arrived within days of the warning.

An Indian hacktivist crew called the Lords of Dharmaraja claimed they lifted Symantec’s source code from systems belonging to the Indian government.

One upside is it’s only the kernel, and it is 8 years old (the kernel is from 1998-2004) – but then again the kernel does provide key functionality and kernels don’t change that much. There have been some major leaks of source code in the last couple of years including Symantec and Kaspersky.

Intellectual Property theft from large corporations is becoming a big thing and a very tasty target for hacktivists as source code and development systems don’t tend to be as highly secure as those containing say financial records or purchase transactions.